Plan Fiduciaries Beware! Strategies for Avoiding Cybersecurity Breach of Benefit Plan Documents

Plan fiduciaries have numerous responsibilities under the law when administering programs and handling participant funds and benefits, including the responsibility to make sure the technology they choose to use is secure. A cybersecurity breach, especially one that exposes personal identification information (PII) or leads to a loss of funds, can create significant liability for the plan.

Who is Legally Liable?

Employee benefit plans are governed by ERISA and its accompanying regulations. While cybersecurity isn’t specifically listed as a fiduciary responsibility, plans are required to protect both plan assets and participant data through their duties of prudence and loyalty. Since the methods for doing so have changed since the 1970s when ERISA was first enacted, regulations have adapted to consider new technology. It is likely that regulations and court decisions will soon reflect data security and computer security very specifically in a fiduciary’s obligations.

What Should You Do?

Regardless of liability, no one wants to be in a position where they were the ones whose plan data was compromised. Fiduciaries should pay attention to the current state of security technology, work with advisors, and design procedures to ensure there are double-checks to ensure transactions are appropriate.

Consulting with security experts and benefit plan attorneys to develop a fiduciary cybersecurity legal compliance paradigm is the first step in bringing a system up to date. Fiduciaries should also take a periodic deep dive into their set up to ensure the systems their service providers are using are also secure and in line with security goals. Not only should the systems be secure, but comprehensive agreements need to be in place between the different parties to allow audits and to pass liability to the party where a breach occurs. These agreements should highlight specifically the security obligations the service provider has to the plan and provide for a variety of remedies in the event of a breach.

No system is completely secure and the breach is just as often with the humans and the processes as it is with the technology. It’s important to not just address the system and its protocols, but the people and the data handling processes in place. Changing your password monthly is only as useful a protection method as people not putting their new password on a sticky note or somewhere else less secure.

The benefits lawyers at Hall Benefits Law work with our clients to implement security procedures, discuss potential contract changes, and continue to review systems as technology and regulations evolve. Call our office today at 678-439-6236 or visit the Hall Benefits Law website to learn more about our services.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)